b'SEC.gov |  Survey of Information Technology\nSearch SEC Documents\nCompany Filings | More Search Options\nSkip to Main Content\nAbout\nWhat We Do\nCommissioners\nSecurities Laws\nSEC Docket\nReports\nCareers\nContact\nDivisions\nCorporation Finance\nEnforcement\nInvestment Management\nEconomic and Risk Analysis\nTrading and Markets\nNational Exam Program\nAll Divisions and Offices\nEnforcement\nLitigation Releases\nAdministrative Proceedings\nOpinions and Adjudicatory Orders\nAccounting and Auditing\nTrading Suspensions\nHow Investigations Work\nAdministrative Law Judges\nRegulation\nProposed Rules\nFinal Rules\nInterim Final Temporary Rules\nOther Orders and Notices\nSelf-Regulatory Organizations\nStaff Interpretations\nEducation\nInvestor.gov\nCheck Out a Broker or Adviser\nInvestor Alerts and Bulletins\nFast Answers\nFile a Tip or Complaint\nPublications\nFilings\nEDGAR Search Tools\nCompany Filings Search\nHow to Search EDGAR\nRequesting Public Documents\nDescriptions of Filing Types\nInformation for Filers\nAbout EDGAR\nNews\nPress Releases\nPublic Statements\nSpeeches\nTestimony\nSpotlight Topics\nWhat\'s New\nNews Digest\nEvents\nWebcasts\nSpecial Studies\nSurvey of Information Technology\nInspector General\nAbout OIG Office of Audits Office of Investigations Semiannual Reports Testimony Other Publications References Links Relevant FOIA Documents Contact Us\nThis document is an HTML formatted version of a printed document.\nThe printed document may contain agency comments, charts, photographs,\nappendices, footnotes and page numbers which may not be reproduced in this\nelectronic version.  If you require a printed version of this document\ncontact the United States Securities and Exchange Commission, Office of\nInspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C.\n20549 or call (202) 942-4460.\nSurvey of Information Technology\nAudit Report No. 214February 7, 1995\nEXECUTIVE SUMMARY\nTo assist in audit planning, we performed a survey of the Office of Information Technology (OIT). During the survey, we identified several possible enhancements to OIT\'s policies and procedures.\nThese include improving access controls for the headquarters computer room; developing detailed information on the Commission\'s software applications; and issuing security guidance, among other matters.\nOIT generally agrees with our recommendations, and is taking steps to implement them. We have modified the report as appropriate, based on OIT\'s comments on prior drafts, as well as comments from the Executive Director, the Division of Enforcement, and the Office of Administrative and Personnel Management (attached).\nSCOPE AND OBJECTIVES\nThe primary objective of our survey was to gather information about the Office of Information Technology to assist in audit planning. We also sought (where feasible without detailed testing) to identify possible enhancements to OIT\'s operations.\nDuring the survey, we interviewed OIT and other Commission staff, reviewed selected documentation, and observed computer room operations. We conducted limited tests of certain security functions.\nThe survey was performed between August and October 1994, in accordance with generally accepted government auditing standards.\nBACKGROUND\nIn November 1992, the Offices of ADP Services and EDGAR Management were merged to form the Office of Information Technology. The merger was intended to strengthen ADP planning and operations, and to clarify organizational responsibilities. The head of the office was named the Commission\'s Chief Information Officer (this position is currently vacant).\nOIT has approximately 130 staff, distributed in four offices: Planning, Administration, and Security; Operations; User Support Services; and Systems Support. In addition, the Office makes extensive use of contractors, especially for software development projects.\nThe Office provides a broad range of ADP services, including mainframe and network operations; application development and maintenance; and related support services. / In its IRM Implementation Plan, the Commission projected 1995 OIT expenditures of approximately $30 million.\nSURVEY RESULTS\nOur survey identified several possible enhancements to Commission ADP operations, which are presented below.\nConcurrent Sessions\nThe Commission network (known as SECOA) allows users to have concurrent sessions (i.e., logging on from one computer before logging off from another). This feature weakens security, and distorts reporting of user access. On the other hand, the Division of Enforcement has indicated that certain staff regularly need concurrent sessions (see its comments).\nRecommendation A\nOIT should determine whether it is feasible and appropriate to set the SECOA operating system (Novell) to prohibit concurrent sessions. It should consult with affected user offices on this issue.\nE-mail Policy\nOIT does not have a policy regarding storage of electronic mail messages on the network. Excessive storage of e-mail could cause unnecessary hardware purchases.\nRecommendation B\nIn consultation with user offices, OIT should develop a policy limiting network storage of electronic mail. OIT indicated that a policy has been developed, and will be implemented soon.\nHeadquarters Computer Room Access\nThe Office of Administrative and Personnel Management (OAPM) issues card keys to control access to the Operations Center and its computer room.\nDuring the survey, an OIG auditor and an OIT contractor were able to access the headquarters computer room with their card keys. Their user security profiles did not authorize this access. Apparently, the card key software was not working as intended, weakening security.\nRecommendation C\nOAPM should correct the card key software. OAPM indicated that the contractor has corrected the software.\nRecommendation D\nOIT should periodically validate computer room authorizations.\nSecurity Documentation Access\nSoftware security documentation is readily accessible to all users of the Operation Center Library. To enhance security, access to this documentation is normally restricted to authorized personnel.\nRecommendation E\nOIT should restrict access to software security documentation to authorized personnel.\nWarning Banner\nWhen logging on to the network, users are warned that unauthorized use is prohibited. However, the warning does not mention that the government may monitor user activities.\nUsers of the mainframe do not receive any warning; instead, they receive the message "Welcome." This message has been construed in court proceedings as an invitation for otherwise unauthorized activities.\nRecommendation F\nOIT should develop a revised warning banner for the Commission\'s computer systems, and delete the "Welcome" message on the mainframe. A sample warning is shown in the Appendix.\nData on Software Applications\nCertain basic data on the Commission\'s software applications are not readily available, including:\nthe hardware they operate on,\nthe operating and data base management systems that support them,\nthe dates the applications were put into production,\nthe dates the applications were last revised, and\nthe dates of risk assessments or certifications of the applications.\nOIT agrees that this data would be helpful, and has asked a contractor to collect them.\nRecommendation G\nOIT should develop procedures for collecting basic data on Commission software applications.\nSecurity Guidance\nOIT has not yet issued final guidance on ADP security, although it has developed several drafts, which have not yet been approved by the Office of the Executive Director. This issue has been mentioned in prior OIG audit reports.\nRecommendation H\nIn consultation with OIT and the End User Advisory Committee, the Office of the Executive Director should approve issuance of ADP security guidance.\nDefault Password\nThe Commission recently implemented a Private Automatic Branch Exchange (PABX) telephone system. The master password for the PABX has not been changed from the default setting. Anyone knowing this default password could reconfigure the PABX without authorization.\nRecommendation I\nThe Office of Administrative and Personnel Management should change the default password, or take other measures to enhance the security of the PABX.\nDevelopment of Procurement System\nOIT is currently developing an automated procurement system for the Commission. The Patent and Trademark Office (PTO) of the Department of Commerce has a procurement system with several desirable features. It is listed on the GSA schedule, is client server based, and interfaces with the Federal Financial System, the Commission\'s accounting system. The cost of the system is approximately $50,000.\nRecommendation J\nOIT should consider PTO\'s procurement system in its alternatives analysis.\nDial-out Connections\nEstablishing a dial-out connection from the network can take several attempts, particularly when using WINDOWS (three or more attempts from the Operations Center, and ten or more from headquarters). The difficulties relate to the availability of dial-out ports and WINDOWS hardware and software compatibility issues.\nRecommendation K\nOIT should monitor usage and availability of dial-out ports, and inform user support staff of the WINDOWS compatibility issues.\nOrientation for New Employees\nOAPM gives new employees an orientation to the Commission. Because of the importance of ADP, the orientation should include ADP activities.\nRecommendation L\nOIT, in consultation with OAPM, should develop orientation materials for ADP activities. For example, the materials could include the names of the ADP liaisons, OIT\'s help desk number, and information on external databases, EDGAR, and the local area network.\nAPPENDIX\nThe following warning banner is based on the banner used by the Department of Commerce, a banner suggested by the Department of Justice, and the Commission\'s "Policy Statement on the Use of Electronic Mail."\nWARNING**WARNING**WARNING\nThis computer system is Federal property, and is to be used only for authorized government purposes. Misuse of this computer system is a violation of Federal law (Pub. L. 99-474).\nAll users of this system, whether authorized or not, are subject to monitoring by system personnel. Anyone using this system expressly consents to such monitoring. Evidence of criminal activity or other misconduct may be provided to law enforcement and Commission officials.\nElectronic messages (e-mail) on this system are government property. The Commission may access these messages whenever such access serves a legitimate governmental purpose.\nSite Map\nAccessibility\nContracts\nPrivacy\nInspector General\nAgency Financial Report\nBudget & Performance\nCareers\nContact\nFOIA\nNo FEAR Act & EEO Data\nWhistleblower Protection\nOpen Government\nPlain Writing\nLinks\nInvestor.gov\nUSA.gov\nU.S. Securities and Exchange Commission\nABOUT\nDIVISIONS\nENFORCEMENT\nREGULATION\nEDUCATION\nFILINGS\nNEWSROOM\nInspector General\nAbout OIG\nOffice of Audits\nOffice of Investigations\nSemiannual Reports\nTestimony\nOther Publications\nReferences Links\nRelevant FOIA Documents\nContact Us'